Tuesday, December 13, 2011

In this post i will shed some light on another anti-attach trick. The point here is based on the fact that only one debugger is allowed to debug a specific process.

Implementing it is as easy as creating two executables (hereafter, i will refer to them as EXE1 and EXE2). EXE1 spawns and then debugs EXE2. So, any further attempt to debug EXE2 will fail.

A demonstrating example can be found here. This executable just spawns calc.exe and then acts as its debugger. If you try to attach ollydbg to calc.exe, you will get the following message box. See the image below.

N.B. Any attempt to close EXE1 will result in EXE2 being closed as such.

To circumvent it, all we have to do is detach EXE2 from its debugger (EXE1) by calling the "DebugActiveProcessStop" function in context of the debugging thread in EXE1.

I just created a small debugger (I refer to it as EXE3).

1) EXE3 debugs EXE1.
2) EXE3 patches the "WaitForDebugEvent" function in the debug loop of EXE1, inserting a jump to the "DebugActiveProcessStop" function.